Port-security black-holing PC's connected to an IP-Phone

cerp · ‎12-05-2007

We are running port-security on a 3750-48PS-S switch running C3750-ipbasek9-mz.122-25.SEE IOS and we are experiencing a strange problem. We have a data vlan and a voice vlan configured on each port, we then run port-security sticky on each port with a maximum of 2 mac-addresses. PC's are connected behind Cisco IP-Phones. This is our standard config and normally we have no problem. On this switch though as soon as we turn on port security all of the PC's are black-holed. You cant ping them, rdp to them, and from the user perspective they have no network access. The ip-phones work fine and we show the mac address from the phone and the pc as securesticky addresses. The switch never shows the ports down due to a port-security violation. As soon as I disable port-security the pc's are restored to traffic. I've included a sample of our port configs.

Edison Ortiz · ‎12-05-2007

Try these commands:

switchport port-security maximum 1 vlan voice

switchport port-security maximum 1 vlan access

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/command/reference/cli3.html#wp1948361

cerp · ‎12-05-2007

Found the problem...somehow the mac-address of the default-gateway router was entered/learned by one of the fast-ethernet ports and was written into the config as a sticky mac-address. So during the arp process all the PC's were fooled into thinking the default gateway was on a local ethernet port. Cleared the mac-address and everything is good now. Please close this thread.